Gateway (Web Server)

The following security considerations apply to the gateway:

• The gateway needs network access:

  • To all agent servers

  • Any respective agent services

  • The Elasticsearch cluster – as described in the firewall section.

• The Internet Information Services configuration or Apache Server user account needs:

  • Read access to the Apps folder on your deployment.

  • Read/write access to the Logs folder on your deployment.

  • Read access to the certificates used to secure communications with Elasticsearch.

• From a defence in depth perspective the principle of least privileges should apply.

  • The account should have the minimum privileges required to run the apps.

• End user access should be secured over HTTPS with a valid certificate for production deployments. Not self-signed.

• You can lock the Control Hub down to specific IP addresses. For example a remote desktop host. This provides additional security over and above the authentication required to access the app.

  • To do this you must lock the admin and the API sub-folder down to specific IP addresses.